Anti-money laundering: a call to action

From feedback received from participants at training events and from Law Society of Scotland inspectors as a result of inspections, it is clear that there is some confusion surrounding what written anti-money laundering (AML) policies and procedures firms are required to have in place, what they must/can cover, and their place in the hierarchy of AML authorities.

It is the Society’s experience that if a practice unit does not have adequate written policies and procedures in place, that is an early indicator that the level of AML compliance is low. This is likely to lead to the firm’s files disclosing breaches of the regulations, which is not good for the firm and constitutes a serious breach of the Accounts Rules as well as the AML Regulations.

Of more concern to the Society’s Compliance team is that their experience has shown that criminals target solicitors who have not adopted robust AML policies and procedures, with devastating consequences for the solicitors concerned and their firms.

The purpose of this article is to assist firms by clarifying what the Society’s view of best practice is in this regard and what its inspectors will expect to see when carrying out an inspection.

Status of the firm’s policy statement

The list below shows the hierarchy of AML authorities binding on solicitors.

It will come as no surprise that at the top of the list are the Money Laundering Regulations 2007 and the myriad other regulations relating to AML/CTF (counter-terrorist funding). Each one in the list has to obey the guidance or direction given in the authority or authorities above it:

• 2007 Regulations (and other regulations relating to AML/CTF)
• Joint Money Laundering Steering Group (JMLSG) Guidance Part 1 (latest version dated 19 November 2014)
• Society’s view of best practice (influenced by the Fourth EU Anti-Money Laundering Directive, dated 20 May 2015) 
• the firm’s AML policy statement, risk register and detailed policies and procedures.

When considering what to include in their risk register, policy statement and detailed AML policies and procedures documentation, members must bear in mind that:

• they will be in breach if they ignore a requirement of the regulations
• the JMLSG Guidance has been approved by HM Treasury and adopted by the Society. It is more akin to subordinate legislation than a practice note. Firms would have to be very confident in their case before departing from it. The Society is the supervisory authority for members, and as such is the ultimate arbiter on what action is appropriate in a given circumstance. The Society’s view on what constitutes best practice is communicated to members via a wide range of media, including articles such as this.

What written AML policies and procedures do you require?

Regulation 20 of the 2007 Regulations sets out what is required, but article 8 of the finalised version of the Fourth Directive is more helpful.

Article 8 sets out a requirement that each firm must maintain a risk register that everyone in the firm understands the importance of, is kept under continual review and can be produced to a regulator on request. (Please note: the UK’s intended approach to the requirements of the directive has not been finalised and will be subject to consultation. The Society will also issue guidance on the finalised UK approach.)

Depending on how the UK decides to enact the requirements of the directive, a firm’s risk register would simply list the threats, and identify possible areas where the firm is vulnerable to these threats and the consequences for the firm/staff if the firm is duped. Based on the foregoing, it will grade the risk (“normal”, “heightened” and “exceptional” are commonly used) and, most importantly, give guidance on the steps to be taken to mitigate the risk.

In accordance with article 7.4(e), HM Treasury and the Home Office have made their report UK National Risk Assessment of ML and TF October 2015 available to assist firms in preparing their own risk register.

Article 8 goes on to say that firms must “have in place policies, controls and procedures to mitigate and manage effectively the risks of ML and TF” identified as affecting the firm. This echoes the terms of reg 20 of the 2007 Regulations. The JMLSG Guidance presents these as (a) a policy statement that provides an overview of the firm’s policy and is the firm’s “call to action”, and (b) detailed notes on each policy and procedure. Article 8 provides that the threats faced by the firm are split out into a separate risk register.

These policies and procedures must be written down. They must also specifically address the threats set out in the firm’s risk register and reflect what actually happens across the firm. The purpose of having written policies and procedures is to communicate a clear and consistent message across the firm of what is required of each member of staff, and why it is vital that each person is trained for and carries out their allotted role. Proffering a set of policies and procedures to a Society inspector that you have acquired from a much larger firm or simply printed off the internet is tantamount to an admission that you have no policies, controls or procedures in place.

The Society would much prefer if you acknowledged this and addressed it now rather than wait for an inspection to highlight problems. It has, however, recognised that there are still practices who need help to become compliant in this area. The Society has therefore adopted the Kirklands AML Compliance Solution, which will assist firms reach the required level of compliance and avoid possible disciplinary sanctions by the LSS.

The Kirklands AML Compliance Solution offers comprehensive examples for use by user firms, who are encouraged to tailor those relating to risk and working practices to match their firm’s risk profile and how they operate.

What must/can these AML policies and procedures cover?

The JMLSG Guidance part 1, which is binding on firms regulated by the LSS, expands on reg 20 and should be the first reference point for money-laundering reporting officers (MLROs) and compliance teams who are tasked with reviewing the firm’s AML policies and procedures.

The guidance deals with each element of reg 20 in the chapters referred to below. It is worth noting that due to the absence of any detail in the 2007 Regulations of what these controls should cover, the guidance draws heavily on the Financial Conduct Authority Handbook and, therefore, some of the examples given do require translation into an equivalent situation in the legal sector. That said, the guidance is excellent and will repay careful study.

It includes:

• customer due diligence and ongoing monitoring (chapter 5);
• reporting of suspicions (chapter 6);
• record keeping (chapter 8);
• internal control, risk assessment and management (chapter 4);
• the monitoring and management of compliance with such policies and procedures (paras 3.28-3.30); and
• the internal communication of such policies and procedures, including staff awareness and training (chapter 7).

As is stressed in the JMLSG Guidance, firms determine the extent of their customer due diligence (CDD) and ongoing monitoring CDD measures on a risk-sensitive basis, depending on the type of client, the money involved and the nature of the transaction.

It is open to firms to take a view on a range of risks and set out their policy on these in their AML policies and procedures. The purpose of doing so might be to provide clarity to staff or to preserve resources where, in the firm’s view, there is little or no risk.

Examples of this might be:

• setting a value for each type of work above which the transaction will be deemed to be high value and therefore given a red flag;
• the firm’s policy on gifted deposits below a certain level from the Bank of Mum and Dad;
• the firm’s policy on the use of electronic ID checks, when they can be used as the sole means of identifying clients and beneficial owners and when they can only be used as supplementary evidence;
• identifying types of business that the firm carries out that are outwith the scope of the 2007 Regulations and where there is therefore no requirement to carry out CDD or a risk assessment.

An important caveat to the use of this discretion is that firms must generate their own policy and be able to demonstrate to the Society that their decision to apply reduced CDD measures and monitoring is appropriate in view of the AML/CTF risks presented by the client/transaction.

The downside of implementing a too bullish approach on applying reduced CDD measures is that firms could find that the Society takes the view that their variation, when implemented, did not deal appropriately with the risks that were identified in some or all of the transactions. Not only could this result in the firm being directed to remedy the shortcomings in all such files, but also each of them would be treated as a breach of the regulations.

Kirklands are compiling a list of possible examples for inclusion in the policy statement included in the AML Compliance Solution and will be pleased to hear from MLROs on suggested examples for inclusion. The list will be discussed periodically with the Society, which will approve examples in principle and the approved list will be copied out to those who have contributed. Members will appreciate that, ultimately, the Society can only decide whether a certain course of action was appropriate when reviewing the actual transaction to which the general principle was applied.

Call to action

It is now more than eight years since reg 20 of the 2007 Regulations came into force and there can be no excuse for firms not having written AML policies and procedures in place.

The ongoing work of the LSS inspection team and the adoption of the Kirklands AML Compliance Solution have both been driven by a desire to help members reach acceptable levels of compliance and therefore to protect themselves. However, there is no doubt that not all firms have been able to reach the required level eight years after the arrival of the regulations.

The Society is therefore emphasising policies and procedures during current inspection work, and firms which are found to have failed to put appropriate policies and procedures in place are likely to find themselves reported to the Client Protection Subcommittee, who will determine what further action is required. Firms in this position should therefore probably expect an invitation to an interview by the subcommittee’s interview panel after their inspection.

Failure to comply may result in:

• further inspections at the practice unit’s expense (currently £400 per inspector per day);
• referral of a complaint to the SLCC and potential prosecution before the SSDT;
• an interview under s 40 of the Solicitors (Scotland) Act 1980 to explain why their practising certificate should not be withdrawn for what is a clear breach of the Accounts Rules.

All practice units are advised to attend to this issue as a matter of urgency.